1 // 2 // Copyright (C) 2015 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef ATTESTATION_COMMON_CRYPTO_UTILITY_H_ 18 #define ATTESTATION_COMMON_CRYPTO_UTILITY_H_ 19 20 #include <string> 21 22 #include "attestation/common/common.pb.h" 23 24 namespace attestation { 25 26 // A class which provides helpers for cryptography-related tasks. 27 class CryptoUtility { 28 public: 29 virtual ~CryptoUtility() = default; 30 31 // Generates |num_bytes| of |random_data|. Returns true on success. 32 virtual bool GetRandom(size_t num_bytes, std::string* random_data) const = 0; 33 34 // Creates a random |aes_key| and seals it to the TPM's PCR0, producing a 35 // |sealed_key|. Returns true on success. 36 virtual bool CreateSealedKey(std::string* aes_key, 37 std::string* sealed_key) = 0; 38 39 // Encrypts the given |data| using the |aes_key|. The |sealed_key| will be 40 // embedded in the |encrypted_data| to assist with decryption. It can be 41 // extracted from the |encrypted_data| using UnsealKey(). Returns true on 42 // success. 43 virtual bool EncryptData(const std::string& data, 44 const std::string& aes_key, 45 const std::string& sealed_key, 46 std::string* encrypted_data) = 0; 47 48 // Extracts and unseals the |aes_key| from the |sealed_key| embedded in 49 // the given |encrypted_data|. The |sealed_key| is also provided as an output 50 // so callers can make subsequent calls to EncryptData() with the same key. 51 // Returns true on success. 52 virtual bool UnsealKey(const std::string& encrypted_data, 53 std::string* aes_key, 54 std::string* sealed_key) = 0; 55 56 // Decrypts |encrypted_data| using |aes_key|, producing the decrypted |data|. 57 // Returns true on success. 58 virtual bool DecryptData(const std::string& encrypted_data, 59 const std::string& aes_key, 60 std::string* data) = 0; 61 62 // Convert |public_key| from PKCS #1 RSAPublicKey to X.509 63 // SubjectPublicKeyInfo. On success returns true and provides the 64 // |public_key_info|. 65 virtual bool GetRSASubjectPublicKeyInfo(const std::string& public_key, 66 std::string* public_key_info) = 0; 67 68 // Convert |public_key_info| from X.509 SubjectPublicKeyInfo to PKCS #1 69 // RSAPublicKey. On success returns true and provides the |public_key|. 70 virtual bool GetRSAPublicKey(const std::string& public_key_info, 71 std::string* public_key) = 0; 72 73 // Encrypts a |credential| in a format compatible with TPM attestation key 74 // activation. The |ek_public_key_info| must be provided in X.509 75 // SubjectPublicKeyInfo format and the |aik_public_key| must be provided in 76 // TPM_PUBKEY format. 77 virtual bool EncryptIdentityCredential( 78 const std::string& credential, 79 const std::string& ek_public_key_info, 80 const std::string& aik_public_key, 81 EncryptedIdentityCredential* encrypted) = 0; 82 83 // Encrypts |data| in a format compatible with the TPM unbind operation. The 84 // |public_key| must be provided in X.509 SubjectPublicKeyInfo format. 85 virtual bool EncryptForUnbind(const std::string& public_key, 86 const std::string& data, 87 std::string* encrypted_data) = 0; 88 89 // Verifies a PKCS #1 v1.5 SHA-256 |signature| over |data|. The |public_key| 90 // must be provided in X.509 SubjectPublicKeyInfo format. 91 virtual bool VerifySignature(const std::string& public_key, 92 const std::string& data, 93 const std::string& signature) = 0; 94 }; 95 96 } // namespace attestation 97 98 #endif // ATTESTATION_COMMON_CRYPTO_UTILITY_H_ 99